npm - better-auth - Versions diffs - 1.7.0-beta.5 → 1.7.0-beta.7 - Mend

better-auth 1.7.0-beta.5 → 1.7.0-beta.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (272) hide show

package/dist/_virtual/_rolldown/runtime.mjs CHANGED Viewed

@@ -1,12 +1,8 @@
-import { createRequire } from "node:module";
 //#region \0rolldown/runtime.js
-var __create = Object.create;
 var __defProp = Object.defineProperty;
 var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
-var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __commonJSMin = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
 var __exportAll = (all, no_symbols) => {
 	let target = {};
 	for (var name in all) __defProp(target, name, {
@@ -27,10 +23,5 @@ var __copyProps = (to, from, except, desc) => {
 	return to;
 };
 var __reExport = (target, mod, secondTarget) => (__copyProps(target, mod, "default"), secondTarget && __copyProps(secondTarget, mod, "default"));
-var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", {
-	value: mod,
-	enumerable: true
-}) : target, mod));
-var __require = /* @__PURE__ */ createRequire(import.meta.url);
 //#endregion
-export { __commonJSMin, __exportAll, __reExport, __require, __toESM };
+export { __exportAll, __reExport };

package/dist/api/index.d.mts CHANGED Viewed

@@ -11,7 +11,7 @@ import { createEmailVerificationToken, sendVerificationEmail, sendVerificationEm
 import { error } from "./routes/error.mjs";
 import { ok } from "./routes/ok.mjs";
 import { requestPasswordReset, requestPasswordResetCallback, resetPassword, verifyPassword } from "./routes/password.mjs";
-import { freshSessionMiddleware, getSession, getSessionFromCtx, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./routes/session.mjs";
+import { freshSessionMiddleware, getSession, getSessionFromCtx, isStateful, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./routes/session.mjs";
 import { signInEmail, signInSocial } from "./routes/sign-in.mjs";
 import { signOut } from "./routes/sign-out.mjs";
 import { signUpEmail } from "./routes/sign-up.mjs";
@@ -25,7 +25,7 @@ import { InternalLogger } from "@better-auth/core/env";
 import { APIError } from "@better-auth/core/error";
 import * as _better_auth_core_oauth20 from "@better-auth/core/oauth2";
 import * as better_call0 from "better-call";
-import { AuthEndpoint, AuthMiddleware, createAuthEndpoint, createAuthMiddleware, optionsMiddleware } from "@better-auth/core/api";
+import { AuthEndpoint, AuthMiddleware, NO_STORE_HEADERS, createAuthEndpoint, createAuthMiddleware, optionsMiddleware } from "@better-auth/core/api";
 import * as zod from "zod";
 import * as zod_v4_core0 from "zod/v4/core";
@@ -3989,4 +3989,4 @@ declare const router: <Option extends BetterAuthOptions>(ctx: AuthContext, optio
   } extends infer T_2 ? { [K in keyof T_2 as K extends keyof T_1 ? never : K]: T_2[K] } : never) & T_1> : never : never : never;
 };
 //#endregion
-export { APIError, type AuthEndpoint, type AuthMiddleware, type DispatchContext, accountInfo, addOAuthServerContext, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, dispatchAuthEndpoint, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };
+export { APIError, type AuthEndpoint, type AuthMiddleware, type DispatchContext, NO_STORE_HEADERS, accountInfo, addOAuthServerContext, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, dispatchAuthEndpoint, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, isStateful, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };

package/dist/api/index.mjs CHANGED Viewed

@@ -2,10 +2,10 @@ import { isAPIError } from "../utils/is-api-error.mjs";
 import { requireOrgRole, requireResourceOwnership } from "./middlewares/authorization.mjs";
 import { formCsrfMiddleware, originCheck, originCheckMiddleware } from "./middlewares/origin-check.mjs";
 import { getIp } from "../utils/get-request-ip.mjs";
-import { onRequestRateLimit, onResponseRateLimit } from "./rate-limiter/index.mjs";
+import { onRequestRateLimit } from "./rate-limiter/index.mjs";
 import { addOAuthServerContext, getOAuthState } from "./state/oauth.mjs";
 import { getShouldSkipSessionRefresh, setShouldSkipSessionRefresh } from "./state/should-session-refresh.mjs";
-import { freshSessionMiddleware, getSession, getSessionFromCtx, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./routes/session.mjs";
+import { freshSessionMiddleware, getSession, getSessionFromCtx, isStateful, listSessions, requestOnlySessionMiddleware, revokeOtherSessions, revokeSession, revokeSessions, sensitiveSessionMiddleware, sessionMiddleware } from "./routes/session.mjs";
 import { accountInfo, getAccessToken, linkSocialAccount, listUserAccounts, refreshToken, unlinkAccount } from "./routes/account.mjs";
 import { callbackOAuth } from "./routes/callback.mjs";
 import { createEmailVerificationToken, sendVerificationEmail, sendVerificationEmailFn, verifyEmail } from "./routes/email-verification.mjs";
@@ -24,7 +24,7 @@ import { APIError } from "@better-auth/core/error";
 import { ATTR_CONTEXT, ATTR_HOOK_TYPE, ATTR_HTTP_RESPONSE_STATUS_CODE, ATTR_HTTP_ROUTE, withSpan } from "@better-auth/core/instrumentation";
 import { normalizePathname } from "@better-auth/core/utils/url";
 import { createRouter } from "better-call";
-import { createAuthEndpoint, createAuthMiddleware, optionsMiddleware } from "@better-auth/core/api";
+import { NO_STORE_HEADERS, createAuthEndpoint, createAuthMiddleware, optionsMiddleware } from "@better-auth/core/api";
 //#region src/api/index.ts
 function checkEndpointConflicts(options, logger) {
 	const endpointRegistry = /* @__PURE__ */ new Map();
@@ -178,7 +178,6 @@ const router = (ctx, options) => {
 			return currentRequest;
 		},
 		async onResponse(res, req) {
-			await onResponseRateLimit(req, ctx);
 			for (const plugin of ctx.options.plugins || []) if (plugin.onResponse) {
 				const response = await withSpan(`onResponse ${plugin.id}`, {
 					[ATTR_HOOK_TYPE]: "onResponse",
@@ -214,4 +213,4 @@ const router = (ctx, options) => {
 	});
 };
 //#endregion
-export { APIError, accountInfo, addOAuthServerContext, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, dispatchAuthEndpoint, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };
+export { APIError, NO_STORE_HEADERS, accountInfo, addOAuthServerContext, callbackOAuth, changeEmail, changePassword, checkEndpointConflicts, createAuthEndpoint, createAuthMiddleware, createEmailVerificationToken, deleteUser, deleteUserCallback, dispatchAuthEndpoint, error, formCsrfMiddleware, freshSessionMiddleware, getAccessToken, getEndpoints, getIp, getOAuthState, getSession, getSessionFromCtx, getShouldSkipSessionRefresh, isAPIError, isStateful, linkSocialAccount, listSessions, listUserAccounts, ok, optionsMiddleware, originCheck, originCheckMiddleware, refreshToken, requestOnlySessionMiddleware, requestPasswordReset, requestPasswordResetCallback, requireOrgRole, requireResourceOwnership, resetPassword, revokeOtherSessions, revokeSession, revokeSessions, router, sendVerificationEmail, sendVerificationEmailFn, sensitiveSessionMiddleware, sessionMiddleware, setPassword, setShouldSkipSessionRefresh, signInEmail, signInSocial, signOut, signUpEmail, unlinkAccount, updateSession, updateUser, verifyEmail, verifyPassword };

package/dist/api/middlewares/origin-check.mjs CHANGED Viewed

@@ -23,7 +23,10 @@ function shouldSkipOriginCheck(ctx) {
 	if (Array.isArray(skipOriginCheck) && ctx.request) try {
 		const basePath = new URL(ctx.context.baseURL).pathname;
 		const currentPath = normalizePathname(ctx.request.url, basePath);
-		return skipOriginCheck.some((skipPath) => currentPath.startsWith(skipPath));
+		return skipOriginCheck.some((skipPath) => {
+			const normalizedSkipPath = skipPath.replace(/\/+$/, "");
+			return currentPath === normalizedSkipPath || currentPath.startsWith(`${normalizedSkipPath}/`);
+		});
 	} catch {}
 	return false;
 }
@@ -47,6 +50,7 @@ const originCheckMiddleware = createAuthMiddleware(async (ctx) => {
 	const newUserCallbackURL = body?.newUserCallbackURL;
 	const validateURL = (url, label) => {
 		if (!url) return;
+		if (typeof url !== "string") throw APIError.fromStatus("BAD_REQUEST", { message: `Invalid ${label}: expected a string` });
 		if (!ctx.context.isTrustedOrigin(url, { allowRelativePaths: label !== "origin" })) {
 			ctx.context.logger.error(`Invalid ${label}: ${url}`);
 			ctx.context.logger.info(`If it's a valid URL, please add ${url} to trustedOrigins in your auth config\n`, `Current list of trustedOrigins: ${ctx.context.trustedOrigins}`);

package/dist/api/rate-limiter/index.mjs CHANGED Viewed

@@ -1,14 +1,66 @@
 import { wildcardMatch } from "../../utils/wildcard.mjs";
 import { getIp } from "../../utils/get-request-ip.mjs";
-import { safeJSONParse } from "@better-auth/core/utils/json";
+import { BetterAuthError } from "@better-auth/core/error";
 import { normalizePathname } from "@better-auth/core/utils/url";
 import { createRateLimitKey } from "@better-auth/core/utils/ip";
 //#region src/api/rate-limiter/index.ts
 const memory = /* @__PURE__ */ new Map();
-function shouldRateLimit(max, window, rateLimitData) {
+const MEMORY_STORE_MAX_ENTRIES = 1e5;
+function pruneMemoryStore() {
 	const now = Date.now();
-	const windowInMs = window * 1e3;
-	return now - rateLimitData.lastRequest < windowInMs && rateLimitData.count >= max;
+	for (const [key, entry] of memory) if (now >= entry.expiresAt) memory.delete(key);
+	if (memory.size <= MEMORY_STORE_MAX_ENTRIES) return;
+	const overflow = memory.size - MEMORY_STORE_MAX_ENTRIES;
+	let removed = 0;
+	for (const key of memory.keys()) {
+		memory.delete(key);
+		if (++removed >= overflow) break;
+	}
+}
+/**
+* Decide an atomic rate-limit step against an in-memory `RateLimit` snapshot
+* for the rolling `window` (seconds) and `max`. Shared by the memory backend
+* (read-decide-write is atomic under single-threaded JS) and as the fallback
+* for storages lacking an atomic primitive.
+*/
+function decideConsume(data, rule, now) {
+	const windowInMs = rule.window * 1e3;
+	if (!data) return {
+		next: {
+			key: "",
+			count: 1,
+			lastRequest: now
+		},
+		update: false,
+		allowed: true,
+		retryAfter: null
+	};
+	if (now - data.lastRequest >= windowInMs) return {
+		next: {
+			...data,
+			count: 1,
+			lastRequest: now
+		},
+		update: true,
+		allowed: true,
+		retryAfter: null
+	};
+	if (data.count >= rule.max) return {
+		next: data,
+		update: true,
+		allowed: false,
+		retryAfter: getRetryAfter(data.lastRequest, rule.window)
+	};
+	return {
+		next: {
+			...data,
+			count: data.count + 1,
+			lastRequest: now
+		},
+		update: true,
+		allowed: true,
+		retryAfter: null
+	};
 }
 function rateLimitResponse(retryAfter) {
 	return new Response(JSON.stringify({ message: "Too many requests. Please try again later." }), {
@@ -25,94 +77,173 @@ function getRetryAfter(lastRequest, window) {
 function createDatabaseStorageWrapper(ctx) {
 	const model = "rateLimit";
 	const db = ctx.adapter;
-	return {
-		get: async (key) => {
-			const data = (await db.findMany({
+	let longestObservedWindow = Math.max(...getConfiguredRateLimitWindows(ctx));
+	const readRow = async (key) => {
+		const data = (await db.findMany({
+			model,
+			where: [{
+				field: "key",
+				value: key
+			}]
+		}))[0];
+		if (typeof data?.lastRequest === "bigint") data.lastRequest = Number(data.lastRequest);
+		return data;
+	};
+	const consume = async (key, rule) => {
+		if (rule.window > longestObservedWindow) longestObservedWindow = rule.window;
+		const windowInMs = rule.window * 1e3;
+		const data = await readRow(key);
+		const now = Date.now();
+		if (!data) try {
+			await db.create({
+				model,
+				data: {
+					key,
+					count: 1,
+					lastRequest: now
+				}
+			});
+			return {
+				allowed: true,
+				retryAfter: null
+			};
+		} catch (error) {
+			if (!await readRow(key)) throw error;
+			return consume(key, rule);
+		}
+		if (now - data.lastRequest >= windowInMs) {
+			if (await db.incrementOne({
 				model,
 				where: [{
 					field: "key",
 					value: key
-				}]
-			}))[0];
-			if (typeof data?.lastRequest === "bigint") data.lastRequest = Number(data.lastRequest);
-			return data;
-		},
-		set: async (key, value, _update) => {
-			try {
-				if (_update) await db.updateMany({
-					model,
-					where: [{
-						field: "key",
-						value: key
-					}],
-					update: {
-						count: value.count,
-						lastRequest: value.lastRequest
-					}
-				});
-				else await db.create({
-					model,
-					data: {
-						key,
-						count: value.count,
-						lastRequest: value.lastRequest
-					}
-				});
-			} catch (e) {
-				ctx.logger.error("Error setting rate limit", e);
+				}, {
+					field: "lastRequest",
+					operator: "lte",
+					value: data.lastRequest
+				}],
+				increment: {},
+				set: {
+					count: 1,
+					lastRequest: now
+				}
+			})) {
+				deleteExpiredRows(now);
+				return {
+					allowed: true,
+					retryAfter: null
+				};
 			}
+			return consume(key, rule);
 		}
+		const windowStart = now - windowInMs;
+		if (await db.incrementOne({
+			model,
+			where: [
+				{
+					field: "key",
+					value: key
+				},
+				{
+					field: "lastRequest",
+					operator: "gt",
+					value: windowStart
+				},
+				{
+					field: "count",
+					operator: "lt",
+					value: rule.max
+				}
+			],
+			increment: { count: 1 },
+			set: { lastRequest: now }
+		})) return {
+			allowed: true,
+			retryAfter: null
+		};
+		const fresh = await readRow(key);
+		if (!fresh) return consume(key, rule);
+		if (now - fresh.lastRequest >= windowInMs) return consume(key, rule);
+		return {
+			allowed: false,
+			retryAfter: getRetryAfter(fresh.lastRequest, rule.window)
+		};
+	};
+	const deleteExpiredRows = (now) => {
+		const cutoff = now - longestObservedWindow * 1e3;
+		ctx.runInBackground(db.deleteMany({
+			model,
+			where: [{
+				field: "lastRequest",
+				operator: "lt",
+				value: cutoff
+			}]
+		}).then(() => void 0).catch((e) => ctx.logger.error("Error pruning rate limit rows", e)));
 	};
+	return { consume };
+}
+function getConfiguredRateLimitWindows(ctx) {
+	const windows = [ctx.rateLimit.window, ...getDefaultSpecialRules().map((rule) => rule.window)];
+	for (const plugin of ctx.options.plugins || []) if (plugin.rateLimit) windows.push(...plugin.rateLimit.map((rule) => rule.window));
+	if (ctx.rateLimit.customRules) {
+		for (const customRule of Object.values(ctx.rateLimit.customRules)) if (customRule && typeof customRule !== "function") windows.push(customRule.window);
+	}
+	const validWindows = windows.filter((window) => Number.isFinite(window) && window > 0);
+	return validWindows.length > 0 ? validWindows : [ctx.rateLimit.window];
 }
 function getRateLimitStorage(ctx, rateLimitSettings) {
 	if (ctx.options.rateLimit?.customStorage) return ctx.options.rateLimit.customStorage;
 	const storage = ctx.rateLimit.storage;
-	if (storage === "secondary-storage") return {
-		get: async (key) => {
-			const data = await ctx.options.secondaryStorage?.get(key);
-			return data ? safeJSONParse(data) : null;
-		},
-		set: async (key, value, _update) => {
-			const ttl = rateLimitSettings?.window ?? ctx.options.rateLimit?.window ?? 10;
-			await ctx.options.secondaryStorage?.set?.(key, JSON.stringify(value), ttl);
-		}
-	};
-	else if (storage === "memory") return {
-		async get(key) {
+	if (storage === "secondary-storage") {
+		const ttlFor = (window) => window ?? ctx.options.rateLimit?.window ?? 10;
+		const increment = ctx.options.secondaryStorage?.increment;
+		if (!increment) throw new BetterAuthError("Secondary-storage rate limiting requires SecondaryStorage.increment.");
+		return { consume: async (key, rule) => {
+			if (await increment(key, ttlFor(rule.window)) <= rule.max) return {
+				allowed: true,
+				retryAfter: null
+			};
+			return {
+				allowed: false,
+				retryAfter: rule.window
+			};
+		} };
+	} else if (storage === "memory") {
+		const ttlFor = (window) => window ?? ctx.options.rateLimit?.window ?? 10;
+		return { async consume(key, rule) {
+			pruneMemoryStore();
+			const now = Date.now();
 			const entry = memory.get(key);
-			if (!entry) return null;
-			if (Date.now() >= entry.expiresAt) {
-				memory.delete(key);
-				return null;
-			}
-			return entry.data;
-		},
-		async set(key, value, _update) {
-			const ttl = rateLimitSettings?.window ?? ctx.options.rateLimit?.window ?? 10;
-			const expiresAt = Date.now() + ttl * 1e3;
-			memory.set(key, {
-				data: value,
-				expiresAt
+			const decision = decideConsume(entry && now < entry.expiresAt ? entry.data : void 0, rule, now);
+			if (decision.allowed) memory.set(key, {
+				data: {
+					...decision.next,
+					key
+				},
+				expiresAt: now + ttlFor(rule.window) * 1e3
 			});
-		}
-	};
+			return {
+				allowed: decision.allowed,
+				retryAfter: decision.retryAfter
+			};
+		} };
+	}
 	return createDatabaseStorageWrapper(ctx);
 }
 let ipWarningLogged = false;
+const NO_TRUSTED_IP_KEY = "no-trusted-ip";
 async function resolveRateLimitConfig(req, ctx) {
 	const basePath = new URL(ctx.baseURL).pathname;
 	const path = normalizePathname(req.url, basePath);
 	let currentWindow = ctx.rateLimit.window;
 	let currentMax = ctx.rateLimit.max;
 	const ip = getIp(req, ctx.options);
-	if (!ip) {
-		if (!ipWarningLogged) {
-			ctx.logger.warn("Rate limiting skipped: could not determine client IP address. Ensure your runtime forwards a trusted client IP header and configure `advanced.ipAddress.ipAddressHeaders` if needed.");
-			ipWarningLogged = true;
-		}
-		return null;
+	if (!ip && ctx.options.advanced?.ipAddress?.disableIpTracking) return null;
+	if (!ip && !ipWarningLogged) {
+		ctx.logger.warn("Rate limiting could not determine a client IP and is falling back to a single shared per-path bucket. Ensure your runtime forwards a trusted client IP header and configure `advanced.ipAddress.ipAddressHeaders` if needed.");
+		ipWarningLogged = true;
 	}
-	const key = createRateLimitKey(ip, path);
+	const key = createRateLimitKey(ip ?? NO_TRUSTED_IP_KEY, path);
 	const specialRule = getDefaultSpecialRules().find((rule) => rule.pathMatcher(path));
 	if (specialRule) {
 		currentWindow = specialRule.window;
@@ -150,37 +281,24 @@ async function resolveRateLimitConfig(req, ctx) {
 		currentMax
 	};
 }
+/**
+* Decides the rate limit for the request in a single atomic step. The whole
+* check-and-increment happens here in the request phase; there is no separate
+* response-phase write-back, so concurrent requests cannot all pass a stale
+* read before any increment lands.
+*/
 async function onRequestRateLimit(req, ctx) {
 	if (!ctx.rateLimit.enabled) return;
 	const config = await resolveRateLimitConfig(req, ctx);
 	if (!config) return;
 	const { key, currentWindow, currentMax } = config;
-	const data = await getRateLimitStorage(ctx, { window: currentWindow }).get(key);
-	if (data && shouldRateLimit(currentMax, currentWindow, data)) return rateLimitResponse(getRetryAfter(data.lastRequest, currentWindow));
-}
-async function onResponseRateLimit(req, ctx) {
-	if (!ctx.rateLimit.enabled) return;
-	const config = await resolveRateLimitConfig(req, ctx);
-	if (!config) return;
-	const { key, currentWindow } = config;
 	const storage = getRateLimitStorage(ctx, { window: currentWindow });
-	const data = await storage.get(key);
-	const now = Date.now();
-	if (!data) await storage.set(key, {
-		key,
-		count: 1,
-		lastRequest: now
-	});
-	else if (now - data.lastRequest > currentWindow * 1e3) await storage.set(key, {
-		...data,
-		count: 1,
-		lastRequest: now
-	}, true);
-	else await storage.set(key, {
-		...data,
-		count: data.count + 1,
-		lastRequest: now
-	}, true);
+	const rule = {
+		window: currentWindow,
+		max: currentMax
+	};
+	const { allowed, retryAfter } = await storage.consume(key, rule);
+	if (!allowed) return rateLimitResponse(retryAfter ?? currentWindow);
 }
 function getDefaultSpecialRules() {
 	return [{
@@ -198,4 +316,4 @@ function getDefaultSpecialRules() {
 	}];
 }
 //#endregion
-export { onRequestRateLimit, onResponseRateLimit };
+export { onRequestRateLimit };

package/dist/api/routes/account.mjs CHANGED Viewed

@@ -1,3 +1,4 @@
+import { shouldBindAccountCookieToSessionUser } from "../../context/store-capabilities.mjs";
 import { parseAccountOutput } from "../../db/schema.mjs";
 import { generateRandomString } from "../../crypto/random.mjs";
 import { getAccountCookie } from "../../cookies/session-store.mjs";
@@ -6,8 +7,8 @@ import { missingEmailLogMessage } from "../../oauth2/errors.mjs";
 import { decryptOAuthToken } from "../../oauth2/token-encryption.mjs";
 import { persistOAuthAccount } from "../../oauth2/persist-account.mjs";
 import { applyUpdateUserInfoOnLink } from "../../oauth2/resolve-account.mjs";
-import { generateState } from "../../oauth2/state.mjs";
-import { freshSessionMiddleware, getSessionFromCtx, sessionMiddleware } from "./session.mjs";
+import { generateIdTokenNonce, generateState } from "../../oauth2/state.mjs";
+import { freshSessionMiddleware, getSessionFromCtx, isStateful, sessionMiddleware } from "./session.mjs";
 import { APIError, BASE_ERROR_CODES } from "@better-auth/core/error";
 import { additionalAuthorizationParamsSchema, readGrantedScopes, supportsIdTokenSignIn, verifyProviderIdToken } from "@better-auth/core/oauth2";
 import { SocialProviderListEnum } from "@better-auth/core/social-providers";
@@ -126,7 +127,7 @@ const linkSocialAccount = createAuthEndpoint("/link-social", {
 		}
 		const { token, nonce } = c.body.idToken;
 		if (!await verifyProviderIdToken(provider, token, nonce)) {
-			c.context.logger.error("Invalid id token", { provider: c.body.provider });
+			c.context.logger.warn("Invalid id token", { provider: c.body.provider });
 			throw APIError.from("UNAUTHORIZED", BASE_ERROR_CODES.INVALID_TOKEN);
 		}
 		const linkingUserInfo = await provider.getUserInfo({
@@ -183,9 +184,11 @@ const linkSocialAccount = createAuthEndpoint("/link-social", {
 	}
 	const stateNonce = generateRandomString(32);
 	const codeVerifier = generateRandomString(128);
+	const idTokenNonce = generateIdTokenNonce(provider);
 	const { url, requestedScopes } = await provider.createAuthorizationURL({
 		state: stateNonce,
 		codeVerifier,
+		idTokenNonce,
 		redirectURI: `${c.context.baseURL}${provider.callbackPath}`,
 		scopes: c.body.scopes,
 		loginHint: c.body.loginHint,
@@ -199,7 +202,8 @@ const linkSocialAccount = createAuthEndpoint("/link-social", {
 		additionalData: c.body.additionalData,
 		requestedScopes,
 		state: stateNonce,
-		codeVerifier
+		codeVerifier,
+		idTokenNonce
 	});
 	if (!c.body.disableRedirect) c.setHeader("Location", url.toString());
 	return c.json({
@@ -250,7 +254,7 @@ const unlinkAccount = createAuthEndpoint("/unlink-account", {
 * so the cache is left in place for them.
 */
 async function resolveUserId(ctx, userId) {
-	const session = await getSessionFromCtx(ctx, { disableCookieCache: !!ctx.context.options.database || !!ctx.context.options.secondaryStorage });
+	const session = await getSessionFromCtx(ctx, { disableCookieCache: isStateful(ctx) });
 	if (!session && (ctx.request || ctx.headers)) throw ctx.error("UNAUTHORIZED");
 	const resolvedUserId = session?.user?.id || userId;
 	if (!resolvedUserId) throw APIError.from("BAD_REQUEST", {
@@ -259,6 +263,9 @@ async function resolveUserId(ctx, userId) {
 	});
 	return resolvedUserId;
 }
+function matchesAccountSelection(ctx, account, { resolvedUserId, providerId, accountId }) {
+	return (!shouldBindAccountCookieToSessionUser(ctx.context.options) || account.userId === resolvedUserId) && (!providerId || providerId === account.providerId) && (!accountId || account.accountId === accountId);
+}
 /**
 * Fetches a currently-valid access token for a user's provider account,
 * refreshing and persisting it when it is within five seconds of expiry.
@@ -274,7 +281,11 @@ async function getValidAccessToken(ctx, { resolvedUserId, providerId, accountId,
 	let account = resolvedAccount;
 	if (!account) {
 		const accountData = await getAccountCookie(ctx);
-		if (accountData && accountData.userId === resolvedUserId && providerId === accountData.providerId && (!accountId || accountData.accountId === accountId)) account = accountData;
+		if (accountData && matchesAccountSelection(ctx, accountData, {
+			resolvedUserId,
+			providerId,
+			accountId
+		})) account = accountData;
 		else account = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).find((acc) => accountId ? acc.accountId === accountId && acc.providerId === providerId : acc.providerId === providerId);
 	}
 	if (!account) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
@@ -283,7 +294,7 @@ async function getValidAccessToken(ctx, { resolvedUserId, providerId, accountId,
 		const accessTokenExpired = account.accessTokenExpiresAt && new Date(account.accessTokenExpiresAt).getTime() - Date.now() < 5e3;
 		if (account.refreshToken && accessTokenExpired && provider.refreshAccessToken) {
 			const refreshToken = await decryptOAuthToken(account.refreshToken, ctx.context);
-			newTokens = await provider.refreshAccessToken(refreshToken);
+			newTokens = await provider.refreshAccessToken(refreshToken, ctx);
 			await persistOAuthAccount(ctx, {
 				userId: account.userId,
 				providerId: account.providerId,
@@ -401,14 +412,18 @@ const refreshToken = createAuthEndpoint("/refresh-token", {
 	});
 	let account = void 0;
 	const accountData = await getAccountCookie(ctx);
-	if (!!accountData && accountData.userId === resolvedUserId && providerId === accountData.providerId && (!accountId || accountData.accountId === accountId)) account = accountData;
+	if (!!accountData && matchesAccountSelection(ctx, accountData, {
+		resolvedUserId,
+		providerId,
+		accountId
+	})) account = accountData;
 	else account = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).find((acc) => accountId ? acc.accountId === accountId && acc.providerId === providerId : acc.providerId === providerId);
 	if (!account) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
 	const refreshToken = account.refreshToken ?? void 0;
 	if (!refreshToken) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.REFRESH_TOKEN_NOT_FOUND);
 	try {
 		const decryptedRefreshToken = await decryptOAuthToken(refreshToken, ctx.context);
-		const tokens = await provider.refreshAccessToken(decryptedRefreshToken);
+		const tokens = await provider.refreshAccessToken(decryptedRefreshToken, ctx);
 		await persistOAuthAccount(ctx, {
 			userId: account.userId,
 			providerId: account.providerId,
@@ -475,7 +490,10 @@ const accountInfo = createAuthEndpoint("/account-info", {
 	if (!providedAccountId) {
 		if (ctx.context.options.account?.storeAccountCookie) {
 			const accountData = await getAccountCookie(ctx);
-			if (accountData) account = accountData;
+			if (accountData && matchesAccountSelection(ctx, accountData, {
+				resolvedUserId,
+				providerId: providedProviderId
+			})) account = accountData;
 		}
 	} else {
 		const matchingAccounts = (await ctx.context.internalAdapter.findAccounts(resolvedUserId)).filter((acc) => acc.accountId === providedAccountId && (!providedProviderId || acc.providerId === providedProviderId));
@@ -485,7 +503,7 @@ const accountInfo = createAuthEndpoint("/account-info", {
 		});
 		account = matchingAccounts[0];
 	}
-	if (!account || account.userId !== resolvedUserId) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
+	if (!account || !matchesAccountSelection(ctx, account, { resolvedUserId })) throw APIError.from("BAD_REQUEST", BASE_ERROR_CODES.ACCOUNT_NOT_FOUND);
 	const provider = await getAwaitableValue(ctx.context.socialProviders, { value: account.providerId });
 	if (!provider) throw APIError.from("BAD_REQUEST", {
 		message: "Account is not associated with a configured social provider.",